Chariot supports Single Sign On (SSO) support through Okta.

To use Okta SSO in Chariot, please follow these directions:

Below, you will learn how to set up Okta SSO with the Chariot application. With the instructions below you will add a DNS TXT record to your domain and then create the following 3 pieces of data. When you complete each step, copy and set the values aside so that they can be entered in the Chariot SSO Setup page at the end of these instructions.

  • Client ID 
  • Client Secret 
  • Issuer URL

Setting up a DNS TXT Record

First, to configure SSO for your domain, you must configure a DNS record to prove ownership of that domain. This will mean navigating to DNS Settings or DNS management where your domain is hosted. You will see an option to add a DNS TXT record. Add a TXT record with the text "chariot=<email>", where <email> is the primary email of your Chariot account.

The primary email of your Chariot account can be found on the Organization Settings page in Chariot:

Your DNS TXT record might look something like this. 

YourDomain.com Record type: value:
@ TXT "chariot=YourPrimaryEmail@email.com"

To check whether the TXT record has been published by your domain registrar run the following command and look for "chariot=YourPrimaryEmail@email.com":

dig +short TXT YourDomain.com

Next you will create an Okta Application for Chariot. 

1. Log in to the admin dashboard for your Okta organization via the Okta login page.

2. Click on Applications>Applications on the left side of the Okta admin dashboard. 

3. Click on Create App Integration above the Applications Table. The following page will appear:

Configure your Okta Application for Chariot.

1. Select "OIDC - OpenID Connect" as the Sign-in method.

2. Select "Web Application" as the Application type.

3. Click Next at the bottom.

4. Enter Chariot as the App integration name.

5. Enter "https://praetorian-chariot.auth.us-east-2.amazoncognito.com/oauth2/idpresponse" under Sign-in redirect URIs.

6. Enter “https://chariot.praetorian.com/login” under Sign-out redirect URIs.

7. Under Assignments, you should configure access for any users that you intend to access Chariot via SSO.

8. Save your Okta application.

(Optional) Set up Chariot Okta Tile

1. Under General > General Settings click the Edit link.

2. Under General > Login update the following settings:

  •  Login initiated by - Either Okta or App.
  •  Application visibility - ensure that “Display application icon to users” is enabled.
  •  Login flow - choose “Redirect to app to initiate login (OIDC Compliant)”.
  •  Initiate login URI - set to “https://chariot.praetorian.com/login”.

7. Hit “Save” to confirm your configuration changes.

Integrate your Okta application with Chariot

Log in to Chariot using your existing email/password credentials at https://chariot.praetorian.com/login and click on the profile badge in the top right corner of the Chariot application.

 

Clicking on the profile badge will open a menu. On the menu, click Organization Settings.

 

 

On the Organization Settings page confirm that you are viewing the organization for which you would like to configure SSO access and then click the button to Setup Single Sign-On (SSO)

 

 

When you click on Setup, the Setup SSO form pops up.

 

 

Chariot will prompt you for your corporate email Domain, Client ID, and Client Secret. Here is how you can find each piece of information needed for the form:

Domain - your email domain, e.g. “praetorian.com” for email addresses such as “john.doe@praetorian.com”.

Client ID - copied from the “Client Credentials” section of the “General” tab of the Okta application you just created (see below).

Client Secret - copied from the “Client Secrets” section of the “General” tab of the Okta application you just created (see below).

Issuer URL - the base URL at which your users log in to Okta, e.g. "https://companyname.okta.com

 

 

Once you have filled in all of the fields, hit Save. Your users should now be able to log in to Chariot using Okta as their identity provider.

 

Chariot Application Login With SSO

Once SSO setup is complete, users will be able to log in to the Chariot application through the Corporate ID portal.

 

 

Upgrade from Legacy Chariot

1. Follow the Set up your Domain steps above to prove ownership of your email domain and confirm your permission to set up SSO for Chariot with this domain.

2. Navigate to your existing Okta application for Chariot in the Okta Admin dashboard.

3. Under General > General Settings click the Edit link.

4. Update Sign-in redirect URIs to “https://praetorian-chariot.auth.us-east-2.amazoncognito.com/oauth2/idpresponse”.

5. Update Sign-out redirect URIs to “https://chariot.praetorian.com/login”.

6. Under General > Login update the Initiate login URI to “https://chariot.praetorian.com/login”.

Follow the Integrate your Okta Application with Chariot steps above to configure SSO with Chariot using your existing Okta application.

Enjoy quick and easy access to Chariot with Single Sign On!

Note: Once SSO is set up, the DNS TXT Record can be removed. If changes need to be made to the SSO configuration, (i.e. rotating secrets) the TXT record will need to be re-added through the configuration process.

If you encounter any issues, or need help with SSO, please reach out to support@praetorian.com